flaw

Security experts from U.S. government agencies, multinational companies, and academia have released a list of what they consider to be the 25 most critical errors made while coding software.

Participants from more than 30 organizations worked together to agree on the 25 "most dangerous" errors, the SANS Institute said in a statement on Monday. They included experts from the U.S. National Security Agency, the U.S. Computer Emergency Response Team (US-Cert), Mitre, and the Sans Institute, as well as from Microsoft, Apple, and Oracle.

The list was released so programmers can check their code for the … Read more

Mozilla has released updates to its popular Firefox browser, its Thunderbird e-mail client, and its SeaMonkey application suite, aiming to address highly critical security flaws that could expose users' sensitive information.

Users are advised to update to version 3.0.5 of Firefox, which was released Tuesday. They are also advised to update to version 2.0.0.19 of Thunderbird and version 1.1.14 of SeaMonkey.

The vulnerabilities were found in earlier versions of Firefox 3, as well as in versions of Firefox 2.

According to a research note released Wednesday by security researcher Secunia:

Some vulnerabilities have … Read more

Microsoft released a critical security patch on Wednesday to plug vulnerabilities in Internet Explorer, a move that comes amid malicious attackers taking advantage of the security flaws.

The patch is designed to prevent attackers from downloading malware onto users' computers if they visit a malicious Web site, or a legitimate Web site that has been infected.

This zero-day exploit has been in circulation since the first week of December and potentially could have infected a wide swath of users.

The vulnerabilities are found in not only IE 7, Microsoft's latest browser, but also Internet Explorer 5.01, Internet Explorer … Read more

A flaw in Vista's networking has been found that can crash the system, but no fix is expected until the next service pack

A flaw has been found in Windows Vista that could allow rootkits to be hidden or denial-of-service attacks to be executed on computers using the operating system.

The vulnerability was found by Thomas Unterleitner of Austrian security company Phion and was announced Friday. Unterleitner told ZDNet UK on Friday that Phion told Microsoft about the flaw in October but that he understood a fix would only be issued in the next Vista service pack.

According to … Read more

Developers of third-party iPhone Apps may have a way to circumvent Apple's iTunes App Store approval process for their updated Apps by executing arbitrary code from within their own applications whenever they choose to do so.

The newly discovered exploit reveals itself via a technique discovered by developer Patrick Collison and is documented on his blog. Essentially, Collison, discovered a workaround that allows for the display of dynamic default.png images. These images load whenever apps are launched on the iPhone. An Xcode Project demoing the exploit can be downloaded and a video demoing the exploit can be found … Read more

Italian systems engineer Piergiorgio Zambrini, developer of Ziphone, one of the first, easy-to-use applications for jailbreaking and unlock the iPhone, has released a new video purportedly delivering proof that a flaw can crash any iPod and iPhone. The bug allegedly resides in in the audio portion of Apple's video subsystem.

His blog post titled, "Boom!," states:

"Here we are again! When Steve says something it usually happens... So what do we have here? A video. Yes a stupid nasty video which can crash ANY iPod/iPhone. A different version of this video can even crash many … Read more

Security researcher Dan Kaminsky has offered more details about a fundamental flaw in the Domain Name System and the extent of the vulnerability.

In a presentation at the Black Hat security conference in Las Vegas on Wednesday, Kaminsky gave details of how a successful DNS cache poisoning attack could be launched by taking advantage of the flaw.

Kaminsky explained that transaction IDs, which are supposed to prevent "bad guys" from assigning their own IP address numbers to any domain, are ineffective as security measures. An attacker could flood a DNS server with multiple, slightly varied requests for a … Read more

Apple released a security update Thursday to users of its Tiger and Leopard operating systems to address a critical and well-publicized Domain Name System flaw, along with a dozen other updates.

The DNS flaw, which was first reported by Dan Kaminsky of IOActive on July 8, could allow attackers to redirect Web site visitors to any site they choose and present forged information. The DNS translates the common name of a Web site into its numerical IP address, and is therefore a fundamental component to the Internet.

During the second pre-Black Hat security conference Webinar on July 24, Kaminsky provided … Read more

If you haven't heard about the current DNS vulnerability, here is a Reader's Digest-like summary. Security guru Dan Kaminsky found a vulnerability that could give the bad guys a relatively easy way to redirect Internet traffic. For example: You might think you are logging on to Bank of America's Web site. But instead, some hacker may have just exploited a domain name system vulnerability and is now in control of your identity.

Kaminsky deserves credit for finding this flaw and alerting the Internet community so it could fix the problem. This effort is well under way, but … Read more